ubuntustudio-bugs team mailing list archive
-
ubuntustudio-bugs team
-
Mailing list archive
-
Message #02679
[Bug 1460403] Re: Shell Command Injection in cmyk-tiff-2-cmyk-pdf.py
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to gimp-plugin-registry in Ubuntu.
Matching subscriptions: Ubuntu Studio Bugs
https://bugs.launchpad.net/bugs/1460403
Title:
Shell Command Injection in cmyk-tiff-2-cmyk-pdf.py
Status in gimp-plugin-registry package in Ubuntu:
Incomplete
Bug description:
File :
/usr/share/gimp/2.0/scripts/cmyk-tiff-2-cmyk-pdf.py
is vulnerable for Shell Command injections because it uses old
"os.system" command in multiple lines.
For example line No. 108
can be attacked when "cmd" or "this_file2" contails Shell Commands :
if os.path.isfile(this_file2):
command = "%s \"%s\" &" % (this_cmd, this_file2)
os.system(command)
Please change all os.system calls to subprocess.Popen()
Thank you ;-)
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: gimp-plugin-registry 7.20140602ubuntu1
ProcVersionSignature: Ubuntu 3.19.0-18.18-generic 3.19.6
Uname: Linux 3.19.0-18-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: amd64
CurrentDesktop: KDE
Date: Sun May 31 12:30:37 2015
InstallationDate: Installed on 2015-05-15 (15 days ago)
InstallationMedia: Kubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
SourcePackage: gimp-plugin-registry
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gimp-plugin-registry/+bug/1460403/+subscriptions